Labels

maandag 24 juni 2013

Lately DNS Amplification DDoS Attacks have drawn a lot of attention. Especially since CloudFlare dedicated several blog posts to them (here and here), and the StopHaus movement almost broke the internet with it.

DNS Amplification Attacks
DNS Amplification attacks work by sending a spoofed UDP packet to a recursive DNS resolver. This DNS server in return will answer the received request to the sender of the packet. The sender of this packet is the spoofed address, which makes it the target of the attack. What makes this attack unique is that the UDP packet sent is of small size, and the packet returned by the DNS server is of large size. This way you amplify the network traffic eventually sent to the target hoping that it cannot handle such an amount and stops responding.
One of the benefits of this attack is that it is very hard to trace the origin. In DDoS attacks botnet are often used, but in this attack you can even mask the bots it is coming from.

Statistics
To get some more insight on this kind of DDoS Attack, I decided to collect as many data as possible to get a good collection of statistics. In one month I collected 1,244,584 attacks and extracted their details.
Below are the different records I've witnessed:

Obviously "isc.org in any +ed" is clearly the most used record, not much creativity there. By sending a very small "dig ANY isc.org @dns-host" you'll get a big response directly going to the target of 3433 bytes:

But as we look closer several domains are of more interest, especially the names of these five draw attention:
directedat.asia: http://pastebin.com/wxF2EQq9
nukes.directedat.asia: http://pastebin.com/m6x6RMAU8235 bytes
ddostheinter.net: -
mydnsscan.us: http://pastebin.com/mSTL4tZG20714 bytes
dd0s.asia: http://pastebin.com/Jcxrq8wQ2538 bytes
As can be spotted pretty quickly, the size and content of in particular mydnsscan.us easily highlight malicious purposes.
If we look at the name servers used we'll see the following:
mydnsscan.usns1.mydnsscan.us-ns2.mydnsscan.us188.122.91.99ns3.mydnsscan.us188.122.91.99ns4.mydnsscan.us-ns1.directedat.asia74.91.18.226ns2.directedat.asia74.91.18.226

These 3 domains have one corresponding IP address which links them together.
IP address 188.122.91.99 is of particular interest as it runs an fbi.gov IRC server, w00t w00t!

Turns out the guy behind this operation is 16 year old ------ ----. Here's his facebook[removed], skype: [removed], another skype: [removed], hackforums[removed], leakforums[removed] and last but not least, his YouTube account[removed].
******, as his preferred nickname is, is a great talented guy who's very curious and interested in technology. Sadly at this stage of his life he's focused on making money the wrong way. And that's probably why he runs many booter and stress services, with according to his own records 10Gbps capacity. Some examples are: Galaxy booter, Private booter, Versatile booter, apidown.com, var-dev.com, Dos Boss' DDoS service, Ethernal Booter and many more, according to some of his posts on hackforums he also owns a 4k botnet[removed].

Well ------, as I've done previously with a guy that owned a bitcoin mining botnet, you can contact me and will remove all of your contact details. You sure know how to reach me.

You don't get a big response using UDP, which is what a DNS resolver or stub resolver does first. You get a tiny response, which is actually smaller than the question itself, and that says "please try again using TCP"

Your dig command clearly shows that dig retried using TCP.

This makes a big difference. TCP is much harder to spoof than UDP. Because of this, TCP is not used for DDoS attacks using DNS amplification. And this is how rate-limitation has been implemented in modern DNS servers. This mitigates amplification while not breaking legitimate clients.

Most DNS resolvers will not send a reply using UDP that is larger than 4096 bytes. Google intentionally reduced this limit down to 512 bytes. While scanning a large number of open resolvers, I could only find one service (that fixed this vulnerability since) accepting to send responses up to 16384 bytes (!) over UDP. Maybe these large records were specially crafted to abuse this service, as they were pretty much useless everywhere else.

Start stress testing your servers using our bandwidthful networkwith up to 30Gbps of bandwidth dedicated to each user!Not satisifed? Refund guaranteed for all purchases. Using our variety of servers and our fast network, booter, ip stresser, stresser, ip booter and CStress Booter is able to provide up to 30Gbps of bandwidth dedicated for each IP stresser user.